Hi Alexandr,

Indeed it does!  The syncookies now gets disabled when removing or
commenting out the 'set syncookies always' line and flushing all rules
and states.


Jesper Wallin

On Thu, Aug 15, 2019 at 11:20:53AM +0200, Alexandr Nedvedicky wrote:
> Hello Jesper,
> 
> thanks for the bugreport.
> 
> </snip>
> 
> > The third issue is more about pf.conf(5).  By default, the syncookies
> > feature is disabled, meaning that if nothing is specified in my pf.conf,
> > syncookies are disabled.  However, if I add "set syncookies always" and
> > flush everything (doas pfctl -F all -f /etc/pf.conf), then change my
> > mind and remove it or comment it out, then flush everything again, it's
> > still enabled.  In order to disable syncookies, I need to actively turn
> > it off by adding "set syncookies never" and flushing everything again.
> 
>     I don't have working PF by hand at the moment, so can't try the patch
>     below. Does patch below solve the 'pfctl -Fa ...' glitch?
> 
> 
> thanks and
> regards
> sashan
> 
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
> index f567b13b6d6..70ea905c728 100644
> --- a/sbin/pfctl/pfctl.c
> +++ b/sbin/pfctl/pfctl.c
> @@ -2434,6 +2434,7 @@ pfctl_reset(int dev, int opts)
>       pf.debug_set = 1;
>       pf.reass_set = 1;
>       pf.syncookieswat_set = 1;
> +     pf.syncookies_set = 1;
>       pf.ifname = strdup("none");
>       if (pf.ifname == NULL)
>               err(1, "%s: strdup", __func__);

Reply via email to